RETIRED: Verizon Wireless Network Extender Multiple Local Privilege Escalation Vulnerabilities
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
PCMan's FTP Server 'USER' Command Buffer Overflow Vulnerability
Multiple Western Digital My Net Devices Information Disclosure Vulnerability
YardRadius Multiple Local Format String Vulnerabilities
Apple's reported interest in a larger iPad tablet with a 13-in. screen shows that the Cupertino Calif. company is thinking along some of the same lines as its rival Microsoft, analysts said today.
The world's largest social network announced on Sunday that it has more than 100 million monthly users for its Facebook For Every Phone, a streamlined app for non-smartphones.
Google, and its bevy of services, including Gmail, search, YouTube and Maps, account for 25% of all Internet traffic in North America, on average, according to Deepfield, an Internet monitoring company.
SanDisk today unveiled its Connect line of wireless flash memory drives, which include the Connect Wireless Flash Drive and the SanDisk Wireless Media Drive.

Millions of smartphones could be remotely commandeered in attacks that allow hackers to clone the secret encryption credentials used to secure payment data and identify individual handsets on carrier networks.

The vulnerabilities reside in at least 500 million subscriber identity module (SIM) cards, which are the tiny computers that store some of a smartphone's most crucial cryptographic secrets. Karsten Nohl, chief scientist at Security Research Labs in Berlin, told Ars that the defects allow attackers to obtain the encryption key that safeguards the user credentials. Hackers who possess the credentials—including the unique International Mobile Subscriber Identity and the corresponding encryption authentication key—can then create a duplicate SIM that can be used to send and receive text messages, make phone calls to and from the targeted phone, and possibly retrieve mobile payment credentials. The vulnerabilities can be exploited remotely by sending a text message to the phone number of a targeted phone.

"We broke a significant number of SIM cards, and pretty thoroughly at that," Nohl wrote in an e-mail. "We can remotely infect the card, send SMS from it, redirect calls, exfiltrate call encryption keys, and even hack deeper into the card to steal payment credentials or completely clone the card. All remotely, just based on a phone number."

Read 5 remaining paragraphs | Comments


Oracle Java SE CVE-2013-2420 Integer Overflow Vulnerability
SAP's pending return to a single CEO structure is the right move at the right time, according to co-founder and Chairman Hasso Plattner and co-CEO Jim Hagemann Snabe, who is planning to leave his post next May and join the company's Supervisory Board.
Microsoft is prepping Wall Street for a 2% slip in Windows revenue for the third quarter and warning that PC shipments will continue their double-digit tumble.
Programming tools that harness the computing power of CPUs and graphics processors have been updated, bringing more parallel programming capabilities to the table.
Canonical is taking its innovative smartphone design directly to potential customers. The company has launched a crowdfunding campaign to build the original batch of its planned Ubuntu Edge devices.
Oracle Java SE CVE-2013-1540 Remote Java Runtime Environment Vulnerability
Oracle and ARM are working together to make the Java programming language more suitable for ARM processors, in order to encourage its use for embedded systems and enterprise software.

SANS Institute and CrowdStrike Partner to Offer "Hacking Exposed Live ...
MarketWatch (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
Google has acquired from the SR Tech Group a portfolio of U.S. patents and patent applications that includes several speech related patents.
The big data market is expected, by one estimate, to grow more than 30 percent annually until the end of the decade. But more than half of big data projects fail--and even those that do succeed can fall apart if the findings aren't applied to operational efficiencies. Ron Bodkin, CEO of Think Big Analytics, offers advice to help you prevent your business from becoming just another statistic.
The British government wants Google, Yahoo and Microsoft to block Internet searches that are likely to lead to child abuse images.
Apache HTTP Server CVE-2013-1896 Remote Denial of Service Vulnerability
Full Disclosure - WD My Net N600, N750, N900, N900C - Plain Text Disclosure of Admin Credentials
Barracuda CudaTel - SQL Injection Vulnerability
Google appears to be preparing to ramp up production of its Google Glass product with an investment in a Taiwanese chip maker that manufactures components used in the wearable device.
LinuxSecurity.com: Two security issues have been found in the Tomcat servlet and JSP engine: CVE-2012-3544 [More...]
LinuxSecurity.com: Several vulnerabilities have been discovered in the Chromium web browser. CVE-2013-2853 [More...]
Multiple Siemens OpenScape Products Multiple Security Vulnerabilities
Tumblr for iOS Information Disclosure Vulnerability
Huge data center, check. Multiple 10G Ethernet pipes, check. Load balancer, check. Firewall? Really? Do network architects need to buy yet another box, and likely take a performance hit?
Django Formsets Denial of Service Vulnerability
Stings, penetration pwns, spy games -- it's all in a day's work along the thin gray line of IT security
Hewlett Packard and Japan's NEC will expand their existing partnership to develop high-end x86-based servers for cloud and Web applications.
Software development employment has increased over the past 10 years, but not all IT areas have done as well. The number of jobs for engineers fell over the same period.
The Foreign Intelligence Surveillance Court has renewed permission to the U.S. government for a controversial program to collect telephone metadata in bulk.
A website dedicated to discussion of the Ubuntu Linux distribution was breached on Saturday, with hackers gaining access to encrypted passwords and email addresses.
Apple on Sunday admitted that its developer website, which has been offline since Thursday, had been hacked and sSome information may have been stolen.
Microsoft DirectShow CVE-2013-3174 Remote Code Execution Vulnerability
Little CMS Multiple Unspecified Null Pointer Dereference Denial of Service Vulnerabilities

Apple closed access to it's developer site after learning that it had been compromissed and developers personal information had been breached [1].

In the notice posted to the site, Apple explained that some developers personal information like name, e-mail address and mailing address may have been accessed. The note does not mention passwords, or if password hashes were accessed. 

One threat often forgotten in these breaches is phishing. If an attacker has access to some personal information associated with a site, it is fairly easy to craft a reasonably convincing phishing e-mail using the fact that the site was breached to trick users to reset their password. These e-mail may be more convincing if they include the user's user name, real name or mailing address as stored with the site.

A video on YouTube claims to show records obtained in the compromisse [2] . The video states that 100,000 accounts were access to make Apple aware of the vulnerability in its site and that the data will be deleted.

[1] http://devimages.apple.com/maintenance/
[2] http://www.youtube.com/watch?v=q000_EOWy80

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Software development employment has increased over the past 10 years, but not all IT areas have done as well. The number of jobs for engineers fell over the same period.
When it comes to style, the new model looks exactly like its predecessor. This year's changes are all beneath the surface -- and are uniformly good, says Michael deAgonia.
OpenStack Keystone CVE-2013-2157 Authentication Bypass Vulnerability
OpenStack Keystone CVE-2013-2014 Denial of Service Vulnerability
TYPO3 TEQneers SEO Enhancements Extension Cross Site Request Forgery Vulnerability
[CVE-2013-2250] Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz
DirectShow Arbitrary Memory Overwrite Vulnerability ms13-056
Samsung TV - DoS vulnerability
Re: [Full-disclosure] [SE-2012-01] New Reflection API affected by a known 10+ years old attack

Posted by InfoSec News on Jul 22

Forwarded from: deepsec (at) deepsec.net

--- DeepSec 2013 "Seven Seas" - Call for Papers - REMINDER!

We are looking for talks and trainings for the DeepSec In-Depth Security
Conference 2013 ("Seven Seas"). We invite researchers, developers, auditors and
everyone else dealing with information security to submit their work. We offer
slots for talks and workshops, and we encourage everyone working on projects to

Posted by InfoSec News on Jul 22


By Zack Whittaker
Zero Day
ZDNet News
July 21, 2013

Ubuntu Forums suffered a massive data breach, the company behind the Linux
open-source based operating system said on Saturday.

In an announcement posted on its main forum page, Canonical confirmed
there had been a security breach and that the team is working to restore
normal operations.

The notice...

Posted by InfoSec News on Jul 22


By Rakhi Chakrabarty
The Times of India
July 20, 2013

NEW DELHI: Cyber attacks on ministries, including home, external affairs,
power and telecom, could soon constitute cyber-terrorism and could be
punished with life imprisonment. Tough new guidelines were released by
national security advisor Shivshankar Menon on Friday by which these...

Posted by InfoSec News on Jul 22


By Jennifer Martinez
Hillicon Valley
The Hill

Hill staffers should take this week’s hacker attack against an email
newsletter service commonly used by congressional offices seriously,
experts say.

There was confusion on Capitol Hill after a Twitter account affiliated
with the hacker group Anonymous claimed it posted...

Posted by InfoSec News on Jul 22


By Vanessa O'Brien
International Business Times
July 19, 2013

TEL AVIV, Israel -- Israel conceals some of its best-kept secrets deep in
the inhospitable Negev Desert: its nuclear research center near Dimona,
its advanced agricultural research programs, its base for Unit 8200 of the
army’s intelligence corps.

Now, the...
Apache OpenJPA Object Deserialization Arbitrary File Creation or Overwrite Vulnerability
Barracuda CudaTel - Remote SQL Injection Vulnerability
Barracuda LB, SVF, WAF & WEF - Multiple Vulnerabilities
Internet Storm Center Infocon Status